Check on every deploy ssh connection if we are on the right machine
This commit is contained in:
parent
362cf35957
commit
a8bde144b3
|
@ -157,6 +157,7 @@ in
|
||||||
'';
|
'';
|
||||||
|
|
||||||
runOnServer = pkgs.writeShellScript "run-on-${server}" ''
|
runOnServer = pkgs.writeShellScript "run-on-${server}" ''
|
||||||
|
# we cannot execute any other commands here because it grabs away $@
|
||||||
ssh root@${serverFQDN} -- $@
|
ssh root@${serverFQDN} -- $@
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
24
packages.nix
24
packages.nix
|
@ -115,9 +115,9 @@ lib.attrsets.mapAttrs
|
||||||
exit 2
|
exit 2
|
||||||
''}
|
''}
|
||||||
|
|
||||||
if [[ $(ssh ${target} cat /etc/hostname) != ${name} ]]; then
|
hostname="$(ssh ${target} cat /etc/hostname)"
|
||||||
echo "hostname of the target machine does not match, please manually investigate!"
|
if [[ "$hostname" != ${name} ]]; then
|
||||||
echo " $(ssh ${target} cat /etc/hostname) != ${name}"
|
echo "hostname of ${target} was expected to be ${name} but is $hostname. Aborting to be safe..."
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
nix copy --no-check-sigs --to ssh-ng://${target} ${inputPaths}
|
nix copy --no-check-sigs --to ssh-ng://${target} ${inputPaths}
|
||||||
|
@ -125,7 +125,9 @@ lib.attrsets.mapAttrs
|
||||||
|
|
||||||
# use nixos-rebuild from target config
|
# use nixos-rebuild from target config
|
||||||
ssh ${target} bash -e <<END
|
ssh ${target} bash -e <<END
|
||||||
nix build ${toplevelDrvPath}
|
set -eou pipefail
|
||||||
|
set -x
|
||||||
|
nix build --no-link ${toplevelDrvPath}
|
||||||
${discardStringCtx hostConfig.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set ${toplevelOutPath}
|
${discardStringCtx hostConfig.nix.package}/bin/nix-env -p /nix/var/nix/profiles/system --set ${toplevelOutPath}
|
||||||
${toplevelOutPath}/bin/switch-to-configuration "''${@:-switch}"
|
${toplevelOutPath}/bin/switch-to-configuration "''${@:-switch}"
|
||||||
END
|
END
|
||||||
|
@ -161,7 +163,13 @@ lib.attrsets.mapAttrs
|
||||||
"${name}-nixos-rebuild-local" = pkgs.writeScriptBin "${name}-nixos-rebuild" ''
|
"${name}-nixos-rebuild-local" = pkgs.writeScriptBin "${name}-nixos-rebuild" ''
|
||||||
set -eou pipefail
|
set -eou pipefail
|
||||||
|
|
||||||
[[ ''${1:-} == build || $(ssh ${target} cat /etc/hostname) == ${name} ]]
|
if [[ ''${1:-} == build; then
|
||||||
|
hostname=$(ssh root@${target} cat /etc/hostname)"
|
||||||
|
if [[ "$hostname" != ${name} ]]; then
|
||||||
|
echo "hostname of ${target} was expected to be ${name} but is $hostname. Aborting to be safe..."
|
||||||
|
exit 2
|
||||||
|
fi
|
||||||
|
fi
|
||||||
# don't re-execute, otherwise we run the targetPlatform locally
|
# don't re-execute, otherwise we run the targetPlatform locally
|
||||||
_NIXOS_REBUILD_REEXEC=1 ${lib.getExe pkgs.nixos-rebuild} ${rebuildArg} --target-host ${target} --use-remote-sudo "$@"
|
_NIXOS_REBUILD_REEXEC=1 ${lib.getExe pkgs.nixos-rebuild} ${rebuildArg} --target-host ${target} --use-remote-sudo "$@"
|
||||||
'';
|
'';
|
||||||
|
@ -219,9 +227,9 @@ lib.attrsets.mapAttrs
|
||||||
ssh ${target} bash -e <<END
|
ssh ${target} bash -e <<END
|
||||||
set -eou pipefail
|
set -eou pipefail
|
||||||
|
|
||||||
if [[ \$(cat /etc/hostname) != ${name} ]]; then
|
hostname=\$(cat /etc/hostname)
|
||||||
echo "hostname of the target machine does not match, please manually investigate!"
|
if [[ "\$hostname" != ${name} ]]; then
|
||||||
echo " $(cat /etc/hostname) != ${name}"
|
echo "hostname of ${target} was expected to be ${name} but is \$hostname. Aborting to be safe..."
|
||||||
exit 2
|
exit 2
|
||||||
fi
|
fi
|
||||||
${toplevelOutPath}/bin/switch-to-configuration "''${@:-switch}"
|
${toplevelOutPath}/bin/switch-to-configuration "''${@:-switch}"
|
||||||
|
|
Loading…
Reference in New Issue